Home / Publications / Advising the Board on Technology Operational Risk

Advising the Board on Technology Operational Risk

Directors’ risk report

All businesses are dependent on their IT systems and the deployment of technology is a board-level issue.

Directors should be involved in decisions concerning the selection of IT systems and suppliers. They may find themselves facing questions from shareholders, customers or even the media if technology failure has an impact on the ability of a business to deliver services or a new IT system does not deliver the benefits the business expected. In a competitive sector, the efficiencies driven by IT can be the difference between the businesses that thrive and those that lose market share to their rivals.

Few directors will claim to be proficient in IT procurement or delivery, but it is important for them to know the reasons why IT projects often fail and the steps which can be taken to minimise the risk of project failure. This will equip them to provide effective oversight of IT delivery and minimise the risk of disruption to the business.

IT projects rarely follow a straight path from the Request for Proposal to go-live and no two projects follow the same course, with each bringing different challenges. Following a disciplined approach to selection and delivery can significantly reduce the risk of project failure. The board can help in this process by effective supervision of the procurement and delivery teams and by ensuring the benefits of the system are always kept in mind.

Stakeholder Risk Thermometer for Technology Operational Risk

In-house commercial perspective 

from Matthew Phillips
Group Director of Business Assurance, B&CE Holdings

Technology projects tend to have the same associated risk as all other projects but these can be exacerbated by the fact that technology is not the core business of a firm and as such it might be necessary to place reliance on third party suppliers. Therefore, the correct selection, due diligence and management of such technology providers is key to ensuring that the benefits envisaged are attained and the risks identified are mitigated effectively. The changing nature of technology and endless possibilities can make it difficult to outline robust requirements and as such the assistance of relevant technology providers to provide the relevant insight and guidance can help. It is important to remain focused on the end outcome however to prevent a changing scope. Where a third party is being utilised it is important to have a well-defined
contract and adequately defined change of control procedures to help guard against increasing cost.

The need to identify and consider associated risks at the early stages of technology projects cannot be over-emphasised. Both internal and external resources as well as a wider pool of technology related information are required to manage those risks.

Selection of the supplier and the system

Risk Scales

The starting point for mitigating IT operational risk is the procurement process: choosing the right IT system and the right supplier to deliver it. All too often, unless the approach to procurement is rigorous and structured, the IT project will be doomed to fail.

Properly assess the business case for the new IT system:

  • Cost: procurement of a new IT system will often be an expensive exercise, both in terms of the financial outlay and the time commitment of management and business teams.
  • Commercial value: whilst it may be difficult to assess all of the benefits and opportunities (financial and non-financial) from a new IT system, an analysis of such benefits and opportunities is an important input into the business case and such inputs into the business case should also be rigorously tested and verified.
  • Implementation: IT implementations often take months or even years and the business’s operations and objectives may change dramatically over that period.

The board should test the business case for the new IT system, the extent to which it is future-proof and the projected return on investment before giving its approval to the project.

Careful selection of supplier: Unsurprisingly, appointing the wrong supplier is often the cause of project failure. The customer must ensure that the appointed supplier has the experience and resources to deliver the solution. In a competitive tender, the board should ensure that:

  • the procurement team understand the business requirements of the required system, and articulate them as clearly as possible;
  • the selection criteria are properly suited to the nature of the project; and
  • the recommendations put forward by the procurement team are tested, due diligence is carried out carefully, references contacted, and site visits undertaken.

Stakeholder buy-in: Within any organisation, there will be a range of hopes and expectations concerning the replacement of an IT system or the procurement of a new IT system. The board should encourage the procurement team to include people who represent as broad a range of those interests as is practical when assessing bids and making their recommendations; this includes representatives of the employees who
will be operating the new system on a daily basis.

Early buy-in from the users will help to ensure the system is quickly accepted and accelerate the efficiencies and benefits of the system when deployed.

Contractual protections: The board will not want to be involved in negotiating the contract with the supplier. They should nonetheless be satisfied that it contains:

  1. proper governance structures;
  • certainty in relation to cost insofar as possible;
  • mechanisms to provide for effective redress if the supplier is unable to meet its delivery deadlines, such as liquidated damages provisions (which have the additional benefit of incentivising the supplier to deliver on time);
  • risk allocation provisions to ensure that the balance between risk and reward for the supplier is appropriate; and
  • well-defined processes for managing changes, which may be required as the system is developed.

Certainty as to these arrangements at the outset can prevent disputes and minimise bad feeling between the business and supplier, enabling both delivery teams to focus on the job in hand.

Management of the delivery phase and beyond

Artificial Intelligence Law Papers

The board will rarely be involved in the day-to-day delivery of the IT system. However, they will have a role to play in governance meetings and can provide the support and guidance needed to ensure that the problems encountered during the delivery phase are managed quickly and effectively, avoiding escalation.

Definition of requirements: There will need to be effective engagement between the business and the supplier throughout the project to make sure that the business’s requirements are properly understood and the IT system is able to achieve its business objectives. The project cannot simply be handed over to the supplier.

The business must be involved throughout and the board should ensure that the right resources and the necessary time are devoted to assisting a successful delivery.

Governance of the project: The board should expect and insist that they play a part in the governance of the project. Regular reporting to the board during the delivery phase can provide the opportunity for directors to assist in managing the day-to-day problems and delays which will inevitably be encountered.

The board should ensure that both the business’s and the supplier’s delivery teams follow the proper project governance procedures set out in the contract. This includes:

  • proper logging of risks and issues;
  • following the change management process where changes
  • logging delivery of milestones to the project plan; and
  • ensuring adequacy of resourcing.

Dispute management: Given the demanding nature of many IT projects, it is not surprising that disputes between a business and its IT
supplier are commonplace. The board can play a part in seeking resolution.

When a project is going off track, each party will blame the other. The business may question the supplier’s ability to deliver, typically alleging that it overstated its capabilities or it is diverting resources to other projects. The supplier may say that the business does not know what it wants or has changed its mind and is deliberately frustrating delivery.

If members of the board have a high level understanding of the project, the fact that they are detached from the day-to-day strains of the delivery teams and the acrimony which may develop on a difficult project, may assist them in finding effective solutions to disputes and getting the project back on track.

Driving a culture of change: A new IT system is often part of a broader change to a business’s processes and operations. Change can bring uncertainty and resistance. Clear and effective communication is crucial to ensure that management, employees and, possibly, customers know what direction the business is taking and the reasons for, and benefits of, any change in direction.

It is important that the board or management articulates the reasons for the change and the benefits it will bring to the business, and reinforces those messages throughout the delivery phase and following go-live of the system.

Common reasons for project failure

Business’s expectations are unclear
Think carefully about the business case for a new IT system and the benefits it should deliver.

Wrong supplier appointed
Consider proposals from all suppliers carefully against weighted criteria. Do not appoint a supplier on price alone.

Supplier over-promises
Carry out careful due diligence. Test the supplier’s assertions. Ask questions. Contact references. Undertake site visits.

Resistance from the users
Include in the procurement team representatives of those who will use the new system on a day-to-day basis.

Misaligned requirements
Be diligent in defining and articulating the functionality of the new system. Leave no room for misunderstanding.

Under resourced delivery team
Provide sufficient resources to assist the supplier to deliver, and make sure the supplier does not reassign key personnel to other projects.

Inappropriate project governance
Ensure that the delivery team follows proper governance procedures and changes are properly documented.

Scope creep
Keep to specification. Avoid changes to requirements, which will add to cost and delay delivery.

The expert’s perspective

from Allan Watton, Chief Executive, Best Practice Group plc

Clear communication and effective project management are essential for the successful delivery of any IT project:

1. As a Board, you will have a clear understanding of the business vision and the strategy to deliver it (the Desired State). The challenge on many projects is ensuring the supplier understands and supports that vision.

In every successful IT project we have seen, the supplier is treated as a ‘partner in delivering business outcomes’.

In most unsuccessful projects, the supplier has only had ‘system requirements’ communicated to it with little context of what quantified business outcomes or objectives will be enabled once the solution has been successfully implemented.

2. A critical success factor for any complex IT project is the deep competency inherent within the client side management team that is leading the initiative. The relationship between the customer and supplier is more likely to be successful if their respective delivery teams include individuals with a mix of core skills including: collaborative stakeholder management, a deep understanding of key business objectives, technical domain expertise, contractual understanding, facilitation and pro-active conflict management.

3. Having dealt with over 500 IT projects, often resolving disputes in an expert witness capacity, we have seen many good practices that provide the foundations for success, along with a number of poor practices to be avoided. 

When selecting a supplier, your client side management team should carry out due diligence to establish that the supplier is collaborative – a team player. The supplier should also act as an ‘Intelligent Supplier’, aware of its obligation to act in your interests, fully understanding your Desired State and advising if any of your expectations are unlikely to be achieved; and suggesting alternative ways to meet your business objectives if possible.

The contract and governance procedures should have mechanisms for encouraging these good behaviours and not just penalising the supplier for poor performance. Your management team should set out the behaviours expected of the supplier, and the behaviours the supplier can expect from your client team. The subtle use of behaviour management techniques, combined with contractual clauses that enable good behaviours, will often save a considerable amount of time and money. 

Large IT solutions have inherently complex supplier-client relationships. However, by having an articulated ‘Desired State’ at the outset, supported by an Intelligent Supplier, an initiative driven client side management team, good governance and contractual foundations that encourage and reward enabling behaviours, you will set yourself up to drive the best possible outcome.

Risk Microchip

Summary: practical risk management for directors

IT projects by their very nature carry significant operational risk. Projects very often encounter difficulties whether through delay,
cost overrun, or for more fundamental reasons, and all too frequently end in disappointment. Effective management of the risks will help to minimise the likelihood of project failure and mitigate its impact.

The board has a key role to play, both before the project has commenced, by scrutiny over the supplier selection process, and throughout the delivery phase through the governance and oversight of the business’s delivery team. Proper management of the risks and oversight of the project can be the difference between successful delivery and project failure.

Risk Awareness

1. Selection – Ensure the procurement team properly understand the needs of the business and how the IT system will be used to generate benefits. Carefully select the supplier after full appraisal of competing bids.

Risk Communication

2. Communication and engagement – Ensure the business’s vision is properly communicated to the supplier and the supplier understands the behaviours expected of it and what it can expect from the client-side delivery team.

Risk Checklist

3. Robust and properly documented contractual arrangements – Ensure that the contract includes all the appropriate protections and rights for the business and has all the business requirements and technical specifications incorporated in a contractually enforceable manner.

Risk Governance Chart

4. Governance – Ensure governance is properly managed, key stakeholders are engaged in project governance and involved in all significant decisions, and that any change to the delivery is fully documented.

Risk Disputes

5. Dispute resolution – Ensure that day-to-day issues and misunderstandings are dealt with quickly and decisively. If a dispute escalates, the board should take a dispassionate approach to resolve the issues and, if possible, get the project back on track.

To find out more about risk essentials events you can visit the Risk Essentials events page.

To find out more about other CMS Risk reports you can visit the CMS Risk reports page.

To find out more about risk related insights and content you can visit the Risk, Resilence and Reputation Insights section.

Publication
Advising the Board on Technology Operational Risk
Download
PDF 1 MB